search

andrewrk / node-s3-client

high level amazon s3 client for node.js
MIT License
1k stars 303 forks source link

s3 relies on outdated mime package with security issue #190

Open naderm opened 6 years ago

naderm commented 6 years ago

It looks like node-s3-client requires mime@~1.2.11 which is vulnerable to a regular expression denial of service exploit. This exploit is fixed in mime@^1.4.1 or mime@^2.0.3

carterbancroft commented 6 years ago

Yes, this is breaking our builds. I've submitted a PR to bump that version here https://github.com/andrewrk/node-s3-client/pull/191

Can we merge this?

matrus2 commented 6 years ago

+1

matrus2 commented 6 years ago

This repository seems to be dead. I am going to either change it to something else or fork it. Last commit was in Jan 19, 2017.

matrus2 commented 6 years ago

FYI: Fork with updated dependencies:

https://github.com/matrus2/node-s3-client

breathe commented 6 years ago

Thank you @matrus2 -- your fork works for me (appears to resolve an unrelated bug I was hitting)!

Recommend -- are you planning to maintain the fork?

matrus2 commented 6 years ago

@breathe Yes, this is a plan.